How can I grant access to a secondary account to push or pull images in my Amazon ECR repository?
Last updated: 2019-08-23
I want to allow a secondary account to push or pull images in my Amazon Elastic Container Registry (Amazon ECR) image repository. How can I give my secondary account access to my image repository so that it can pull or push images?
To push or pull images to or from an Amazon ECR repository in another account, you must create a policy that allows the secondary account to perform API calls against the repository. After you configure the permissions and obtain a token for the repository, you can push or pull images based on the actions allowed. The user who obtains the token also needs the relevant AWS Identity and Access Management (IAM) API permissions to modify the repository.
1. Open the Amazon ECR console for your primary account.
2. Select the name of the repository that you want to modify.
3. From the navigation menu, choose Permissions.
4. To add a repository policy for your secondary account from within your primary account, choose Edit policy JSON, enter your policy into the code editor, and then choose Save.
Important: In your policy, include the account number of the secondary account and the actions that the account can perform against the repository. For an example of a repository policy, see Example: Allow Other Accounts.
The secondary account can't perform the policy actions on the repository until it receives a required temporary authentication token that's valid for 12 hours. To get a Docker authentication token for an account that pushes and pulls images outside Amazon ECS, run the following get-login command using your primary account ID for the --registry-ids parameter:
$ aws ecr get-login --registry-ids 123456789012 --region us-east-1
The token allows you to use the regular Docker push and pull commands against the primary accounts repository using a token generated from the secondary account. To use Amazon ECS to pull images from the repository, set the image in the task definition.
Note: The account that gets the token requires permissions for the necessary API calls in the repository account. For examples, see Amazon ECR Managed Policies. To troubleshoot issues with Docker, enable the debug mode on your Docker daemon.